Pendle Safeguards $105 Million After Penpie Hack

DeFi project Pendle claims to have safeguarded around $105 million in funds that could have been drained from Penpie following a hack on Tuesday targeting the independent Pendle ecosystem yield optimizer.

In a post-mortem after the incident early Wednesday morning, Pendle reported that the funds were protected due to a prompt pause in its contracts. Pendle expressed appreciation, stating, “Thanks to coordinated efforts from multiple parties, further breaches were mitigated, and Pendle contracts have now been unpaused. Normal operations have resumed.” The project reassured users that funds on Pendle remain safe and unaffected, emphasizing a commitment to prioritize the safety and security of the platform above all else.

Despite Pendle’s efforts, the attacker exploited Penpie’s protocol for around $27.3 million, exchanging various stolen assets for 11,109 ETH, according to blockchain analytics provider Lookonchain.

Root Cause of the Exploit

Blockchain security firm PeckShield identified the root cause as the introduction of an “evil market”—a malicious contract intended to inflate staking balances on Penpie to claim unwarranted rewards. Pendle confirmed that the vulnerability stemmed from a unique feature allowing permissionless listing of Pendle markets on Penpie. Their in-house monitoring system detected the suspicious contract funded through Tornado Cash but was unable to prevent the initial attack.

Market Reaction

Penpie’s PNP token plummeted by over 33% immediately following the incident, while Pendle’s native token fell about 9% in the last 24 hours, according to CoinGecko and The Block’s Pendle Price Page.

Penpie, currently paused, stated that it is open to negotiating with the hacker. As part of the negotiation, they proposed not pursuing legal action, keeping the attacker’s identity confidential, and offering a percentage of the stolen funds as a bounty reward.